MediaWiki talk:UserWikiInfo/code.js
Submitted script change 63883 rejected The recently submitted change to this JavaScript page (revision 63883) was rejected by the FANDOM review process. Please make sure you meet the . If I'm understanding this code correctly, it's giving powers to a non-user (that is, an anon editor) which they wouldn't normally have, or at least not this easily. Registration should be required to gain additional powers, particularly when it comes to checking out other users' actions on the FANDOM network. ---- CzechOut 18:12, October 5, 2017 (UTC) :Hi CzechOut. Sorry if I didn't make myself clear, but the code doesn't helps the non-users to have some kind of abilities, it just lets them to see the box of #UserWikiInfo in the profiles. -- Clear Arrow ::Well, by "power" I meant the right to do something they couldn't normally do. And they'd have the ability to see #UserWikiInfo, and its contents, more easily. So, in my view, it is a new power the script would be granting an anon. ::But the bigger deal which I didn't mention above is just that it's pointless. The script as a whole is for Monobook. Anon users can't see Monobook, except by adding ?useskin=monobook to a URL. But that's not a persistent state; you'd have to do it every single time. And it honestly would be quicker to just log in than to add that API mod on every single page load. That's doubtless why Ciencia didn't include the ability in his original code. -- CzechOut 19:01, October 5, 2017 (UTC) ::: The script does not grant any additional rights to anons. I don't see any problem with letting anons see what they can already see in different ways than usual. Would a script revision be rejected just because it makes life of anons easier? ::: Most importantly, it is not pointless. The script change is ensuring mediawiki.api module is loaded, and otherwise users would be getting a mw.Api is not defined error (not always, but often). Even for logged-in users. I've had this happen to so many scripts of mine. -- Cube-shaped 19:13, October 5, 2017 (UTC) ::::Well, if a script made an anon's life easier by allowing them to edit semi-protected pages, or to move pages, or to upload images, it would definitely be rejected. Rights aren't just about doing things, though. Don't forget that in MediaWiki, the ability to even read a page is itself a right which can be turned off. ::::But the bigger point is, again, anons can't even use this script in any significant way. Anons don't see Monobook. So the easiest thing by far for anons who want to use Monobook is to simply log in. ::::And keeping this feature away from anons protects us against anons who aren't actually people. There's probably some threat vector by which a bot could use this loophole to harvest information about the editing practices of registered users in order to know which user accounts to target. ::::At the end of the day, the use case for anons on Monobook is so tiny that it's not worth whatever small security risk might be present. ::::Clearly, though, I'm sympathetic to the other issue you've introduced. Please feel free to submit another revision which addresses mw.api loading in a different way. -- CzechOut 19:56, October 5, 2017 (UTC) ::::: There is no way a script on Dev Wiki can change an anon's right to edit semi-protected pages, move pages or upload images unless it is querying WikiFactory endpoints directly, and even then that script would have to be run by a Staff member to actually work as normal users do not have the right to use WikiFactory. If there was a way that would be a security issue Wikia would have to fix themselves on their end (as Agent Zuri already explained). ::::: I'm not talking about anon use of this script. Anons will not use it and that doesn't matter. What I'm talking about is logged in users using this script and getting a mw.Api is not defined error due to mediawiki.api module not being loaded properly for them. Again, I've had this happen in so many scripts of mine and making the mediawiki.api correctly load fixed these issues. ::::: No, bots cannot harvest information from other users with this script. Unless you mean that bots will know what kind of tools are installed sitewidely, but that doesn't really matter at all and doesn't make this script less secure. After all, bots are clever enough to log themselves in nowadays. -- Cube-shaped 20:10, October 5, 2017 (UTC) ::::: I checked the JavaScript Guidelines help page and I think you're rejecting the revision to this script on personal arbitration and not actually violating any of the guidelines. — KnazO 20:18, October 5, 2017 (UTC) :::::::I have to add that there are other site-wide scripts using mw.loader.using('mediawiki.api', so I don't know why this isn't valid. I already changed it, so it doesn't affects anons anymore. :::::::Regards. ::::: Honestly, I think preload is a bigger security issue than this. Game Moderator • Talk • 09:25, October 6, 2017 (UTC) Submitted script change 63892 rejected The recently submitted change to this JavaScript page (revision 63892) was rejected by the FANDOM review process. Please make sure you meet the . Rejected this revision. Would be cleaner if you completely removed the whole snippet rather than just commenting out the first line of it. You're kinda asking me to approve something that doesn't work, rather than something that isn't there anymore. ---- CzechOut 19:11, October 5, 2017 (UTC) :Ok, I removed the issue. I just commented that while I was waiting for your answer, now I think everything is OK.